CVE-2022-50616
Description
In the Linux kernel, the following vulnerability has been resolved:
regulator: core: Use different devices for resource allocation and DT lookup
Following by the below discussion, there's the potential UAF issue between regulator and mfd. https://lore.kernel.org/all/20221128143601.1698148-1-yangyingliang@huawei.com/
From the analysis of Yingliang
CPU A |CPU B mt6370_probe() | devm_mfd_add_devices() | |mt6370_regulator_probe() | regulator_register() | //allocate init_data and add it to devres | regulator_of_get_init_data() i2c_unregister_device() | device_del() | devres_release_all() | // init_data is freed | release_nodes() | | // using init_data causes UAF | regulator_register()
It's common to use mfd core to create child device for the regulator. In order to do the DT lookup for init data, the child that registered the regulator would pass its parent as the parameter. And this causes init data resource allocated to its parent, not itself. The issue happen when parent device is going to release and regulator core is still doing some operation of init data constraint for the regulator of child device.
To fix it, this patch expand 'regulator_register' API to use the different devices for init data allocation and DT lookup.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in Linux kernel regulator core occurs when an MFD parent device is removed while a child regulator still accesses freed init data, fixed by separating resource allocation and DT lookup devices.
Vulnerability
Overview
CVE-2022-50616 is a use-after-free (UAF) vulnerability in the Linux kernel's regulator core, discovered during analysis of a race condition between MFD (Multi-Function Device) parent removal and child regulator registration. The root cause is that the regulator_register() API uses the parent device for both resource allocation (via devres) and Device Tree (DT) lookup of init data. When an MFD parent device is unregistered (e.g., via i2c_unregister_device()), its devres resources are freed, including the init data allocated for a child regulator. If the child regulator registration is still in progress and accesses that freed init data, a UAF occurs [1].
Exploitation
Scenario
The vulnerability is triggered by a race condition between two CPUs: CPU A removes the parent MFD device (e.g., mt6370_probe() followed by i2c_unregister_device()), while CPU B concurrently registers a child regulator via regulator_register(). The child regulator's regulator_of_get_init_data() call allocates init data on the parent's devres list. When CPU A's device removal triggers devres_release_all(), the init data is freed. CPU B then continues to use that freed memory, leading to UAF [1].
Impact
An attacker who can trigger this race condition (e.g., by hot-unplugging an MFD device while a regulator is being registered) could exploit the UAF to corrupt kernel memory, potentially leading to privilege escalation or a system crash (denial of service). The vulnerability is local and requires specific hardware or driver interactions, but no authentication is needed beyond the ability to trigger device removal and regulator registration [1].
Mitigation
The fix, introduced in Linux kernel stable commit cb29811d989b, expands the regulator_register() API to use separate devices for resource allocation and DT lookup. This ensures that init data is allocated to the child device (which has a longer lifetime) rather than the parent, preventing premature freeing. Users should apply the latest kernel updates from their distribution to remediate this issue [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
3cb29811d989bb0f25ca1ff9b8f3cbcd6b440Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.